Until the issue is resolved I will not tell anyone of this issue and keep it secret.
I have not submitted this information to anyone. I did not verified whether this is possible and is another vulnerability, but it is at least bad practise.Īll this information is treated as strictly confidential and no other person knows about the issues I discovered. So when the file is placed there the same DLLs may be planted there or even the exe file itself may be replaced. This should generally be avoided as %temp% is another unsafe directory, writeable by users without admin privileges. * gif: !jMR1hKLJ!vcaw-PypYm-nh2EDGfFrbxZuoOGm_fYX01NGtGOYyyoĭue to the application manifest embedded in the installers which specifies "requireAdministrator" the executable installer is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password) execution of the DLLs therefore results in a privilege escalation!Īdditionally I noticed that vc_ is copied to the temporary directory. * webm: !aZYz0IIR!a_ycfhC10WGCfP-WArlRmEzLj-BVPr9-xDn8UfbtnrU I have created a video, which shows this: notice the message boxes displayed from the DLL placed in step 1. run the two installers from your "Downloads" directory Ĥ. download both installers (vcredist_x86.exe and vc_) and store them in your "Downloads" directory ģ. visit, download and store it as dwmapi.dll in your "Downloads" directory Ģ. I only use one DLL to show that it is exploitable.ġ. ~~ Proof of concept/Steps to reproduce ~~ So I tested your installers and these are the DLL files it loads and executed from the application directory (which is in most cases the Downloads directory as explained above): More information about the "download folder planting" here: by tricking the user to download it via Social Engineering) this can be executed by your installers.
If there is a malicious DLL inside it (e.g. So when the user downloads these executables (with a web browser) they are usually saved in the "Downloads" directory. The security vulnerability is well-documented and also described in docs by Microsoft. This is the version from 2010 and as you see it is still downloadable.Īnd vc_ from (choosing the x86 version).
() So I tested your Visual C++ 2010 Redistributable Packages from 2010 and the latest from 2015. Recently a lot of DLL hijacking issues in popular software was revealed. I found a DLL hijacking vulnerability in your Microsoft Visual C++ 2010 Redistributable Package and Visual C++ Redistributable for Visual Studio 2015. Change Mirror Download Dear Sir or Madam,
0 kommentar(er)
